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ABSTRACT 


A  data-sharing  scheduler  is  defined  in  terms  of  finite-state 
machine  theory.  Using  the  language  and  concepts  of  finite-state 
machines,  we  give  precise  definitions  for  the  notions  of  "delayed," 
"blocked,"  "deadlock,"  "permanent  blocking,"  and  "sharing  a  datum"; 
these  notions  and  their  interrelationships  lead  to  a  characterization 
of  a  class  of  scheduler  (unrestricted  and  nontrivial) ;  a  basic  theorem 
of  data  sharing  is  stated  and  proved,  and  its  implications  are  explored. 
We  also  give  a  narrative  summary  and  discussion  of  the  main  result  of 
the  work  suitable  for  the  system  designer  or  analyst. 
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SECTION  I 


INTRODUCTION 

Most  data-sharing  models  which  purport  to  avoid  deadlock, 
including  the  models  described  in  (6)  (Part  1  of  this  series,  which 
we  shall  hereinafter  refer  to  as  "HC1")  ,  require  an  entering  process 
to  state  which  data  elements  it  may  use  during  its  run.  This  require¬ 
ment  of  prior  knowledge  seemed  to  be  a  logical  candidate  for  weakening 
when  we  began  attempting  the  formulation  of  a  new  model.  A  few  ini¬ 
tial  failures  in  this  direction  suggested  that  perhaps  prior  knowledge 
of  the  requirements  of  a  process  is  necessary  to  any  data-sharing 
system  which  prevents  deadlock.  It  is  the  intent  of  this  paper  to 
investigate  the  necessity  of  "prior  knowledge"  rigorously. 

The  sections  of  this  paper  are  in  the  order  which  we  felt  would 
be  most  convenient  for  the  majority  of  readers  who  may  wish  to  apply 
the  results  reported  herein  to  the  practical  problems  of  system 
design.  We  have,  for  example,  presented  the  main  result  in  narrative 
form  together  with  some  of  its  practical  implications  in  the  next 
section.  The  mathematical  and  developmental  aspects  of  the  work  are 
then  presented  in  subsequent  sections. 

The  language  of  complete  sequential  machines  was  chosen  to  pro¬ 
vide  a  rigorous  framework  for  the  investigation.  Sections  III  through 
VI  inclusive,  assuming  the  material  of  the  Appendix,  develop  concisely 
the  relevant  concepts  involved  in  data  sharing. 
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SECTION  II 


SUMMARY 

PRECIS 

We  shall  first,  in  narrative  form,  describe  the  main  concepts 
which  we  have  developed  rigorously  in  the  remainder  of  this  paper. 

Then  we  shall  state  the  main  result  of  this  paper.  Finally,  we  shall 
briefly  discuss  the  implications  of  the  main  result  from  the  point  of 
view  of  the  system  designer. 

We  consider  the  management  of  access  to  data  in  a  system  to  be 
controlled  by  a  Scheduler  which  is  embedded  in  the  system.  The  data 
in  the  data  base  are  of  two  types  with  respect  to  the  Scheduler:  the 
data  which  may  at  some  time  in  some  mode  of  use  be  non-shareable 
simultaneously  by  two  or  more  users  (the  critical  data)  and  the  data 
which  are  always  shareable  simultaneously  by  two  or  more  users  (the 
noncritical  data).  The  function  of  the  Scheduler  is  to  avoid  situa¬ 
tions  wherein  critical  data  are  being  inappropriately  shared. 

Schedulers  will  be  categorized  broadly  in  two  major  ways  in  this 
paper.  The  first  categorization  involves  the  manner  in  which  the  data 
base  is  shared.  A  Scheduler  is  said  to  be  nontrivial  if  it  allows 
two  or  more  users  to  have  simultaneous  access  to  critical  data  in  the 
data  base  (perhaps  two  different  data  elements).  On  the  other  hand, 
a  Scheduler  is  trivial  if  no  more  than  one  user  at  a  time  can  have 
access  to  any  elements  in  the  critical  data  base.  In  a  certain  sense, 
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a  trivial  Scheduler  acts  as  a  queue  for  the  elements  of  the  data  base 
which  cannot  always  be  shared  (i.e.  ,  as  a  queue  for  the  critical  data). 

Two  examples  may  illustrate  what  we  mean  to  include  in  the  desig¬ 
nation  "trivial  Scheduler."  If  a  Scheduler  allows  only  one  user  access 
to  the  entire  data  base  (one  user  at  a  time) ,  no  deadlock  can  occur 
and  integrity  of  the  data  base  can  be  preserved.  In  this  case,  the 
Scheduler  acts  as  a  queue  of  processes  waiting  for  access  to  the  entire 
data  base:  a  request  for  access  to  a  datum  is  granted  if  no  other 
process  has  access  to  any  element  of  the  data  base  and  is  denied  if 
any  other  process  has  access  to  some  element  of  the  data  base.  Sup¬ 
pose  instead  that  a  Scheduler  always  grants  requests  for  access  to 
data  except  for  one  datum,  say  df;  a  request  for  access  to  d1  is 
granted  only  when  no  other  process  has  access  to  d! .  Then,  deadlock 
cannot  occur  since  only  requests  for  d*  are  ever  denied;  also,  by 
assumption,  simultaneous  access  to  any  element  except  d1  will  not 
compromise  the  integrity  of  the  data  base.  In  this  case,  the  Scheduler 
acts  as  a  queue  with  respect  to  d1  and  as  a  green  light  for  the  rest 
of  the  data  base.  This  example  is  easily  generalized  so  that  Df  con¬ 
tains  a  subset  of  the  data  base  and  only  one  process  at  a  time  may 
have  access  to  elements  in  D1 . 

The  second  categorization  of  Schedulers  concerns  "prior  knowledge" 
of  the  users’  needs.  In  the  models  of  HC1,  for  example,  a  process 
must  state  its  claim  list  before  it  begins  its  run;  for  the  remainder 
of  the  run,  the  system  and  that  process  share  the  knowledge  of  which 
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data  can  be  accessed  and  in  what  mode.  This  claim  list  is  prior 
knowledge  of  the  process’s  data  needs  during  the  run.  Requests  for 
data  that  are  not  properly  claimed  on  the  claim  list  are  illegal  and 
would  be  considered  errors.  In  other  models,  an  entering  process 
can  be  required  to  supply  information  about  its  data  needs  and  about 
the  order  in  which  the  data  will  be  used.  In  every  case,  the  limiting 
values  on  a  process’s  access  capabilities,  as  a  list  of  legal  requests 
for  data,  would  be  considered  prior  knowledge.  In  this  paper,  we 
have  used  a  more  general  concept  which  is  explained  below. 

A  Scheduler  is  said  to  be  unrestricted  if  every  request  for 
access  to  any  datum  by  any  user  is  legal  at  any  time.  A  Scheduler 
is  restricted  if  some  request  for  access  to  some  datum  by  some 
user  is  illegal  at  some  time.  A  restricted  Scheduler  has  prior 
knowledge  of  the  users’  actions  in  that  there  is  at  every  instant  a 
list  of  acceptable  (legal)  requests  that  each  user  can  make.  The 
lists  need  not  remain  static  as  in  the  models  of  HC1;  the  only 
requirement  is  that  there  be  such  lists.  In  a  real  system,  a  user 
will  know  his  options  at  each  stage  of  his  run  and  will  thus  be  aware 
of  the  constraints  placed  on  him.  Notice,  however,  that  unrestricted 
does  not  mean  that  every  request  for  access  will  immediately  be 
granted;  indeed,  we  allow  that  an  unrestricted  Scheduler  may  deny  a 
request  for  access  to  some  datum  by  some  user. 

The  forms  that  restricted  Schedulers  can  take  are  many,  as  these 
examples  will  indicate.  The  models  of  HC1  are  typical  examples  of 
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restricted  Schedulers.  Another  interesting  example  can  be  formulated 
in  terms  of  the  "name  your  elements  in  order"  strategy  for  access. 

In  this  strategy  all  accessible  elements  are  assumed  to  be  ordered 
(i.e.,  there  is  a  first,  second,  third,  ...).  A  rule  imposed  on  a 
process  (user)  is  that  it  must  always  ask  for  access  to  elements  in 
ascending  order  of  their  arrangement;  it  need  not  ask  for  elements 
which  are  contiguous  in  the  ordering.  The  rule  simply  says  that  if 
a  process  is  going  to  ask  for  an  element  b  and  a  is  the  latest  element 
it  has  acquired  access  to,  then  b  must  follow  a  in  the  ordering  of 
the  elements.  If  we  assume  that  no  elements  may  be  shared  and  that 
the  rule  is  enforced,  then  we  have  an  example  of  a  system  which  does 
not  have  a  deadlock  state  and  which  does  not  share  a  datum;  clearly, 
however,  the  Scheduler  which  manages  this  is  restricted  since  a  pro¬ 
cess  having  b  may  not  legally  ask  for  a,  where  a  precedes  b  in  the 
ordering  of  the  elements. 

Intuitively,  an  optimal  Scheduler  would  be  nontrivial  (to  effect 

as  much  "sharing"  as  possible)  and  unrestricted  (to  rid  the  users  of 

the  necessity  of  using  some  version  of  claims  lists).  However,  the 

Basic  Theorem  stated  and  proved  in  Section  V  says  essentially  that 

"an  unrestricted,  nontrivial  data-sharing  Scheduler  has  a 
deadlock  state  or  a  state  in  which  it  shares  a  critical 
(unshareable)  datum. " 

The  major  implications  of  the  Basic  Theorem  are  that  an  unrestricted, 
nontrivial,  deadlock-free  data-sharing  system  cannot  guarantee  integrity 
of  the  data  base  and  that  an  unrestricted,  nontrivial  data-sharing  system 
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that  does  guarantee  integrity  of  the  data  base  cannot  be  deadlock-free. 
In  other  words,  a  design  for  a  data-sharing  system  which  must  prevent 
deadlocks  while  guaranteeing  integrity  of  the  data  base  must  involve 
either  a  restricted  Scheduler  or  a  trivial  Scheduler. 

CONCLUSIONS 

We  have  arrived  at  two  basic  sets  of  conclusions,  one  having  to 
do  with  data-sharing  models  and  the  other  having  to  do  with  future 
investigations  in  this  area. 

The  Basic  Theorem  of  this  paper  indicates  that  in  investigating 
strategies  for  achieving  harmonious  cooperation  one  must  impose  some 
restrictions  on  the  users  of  the  system.  The  particular  form  the 
restrictions  take  are  of  course  important  to  the  system  designer  since 
he  will  certainly  wish  to  optimize  one  or  more  parameters  and  since 
different  sets  of  restrictions  could  cause  the  data-sharing  systems 
to  appear  quite  different  to  the  users. 

Our  conclusions  about  data-sharing  models  center  around  our 
evaluation  of  the  generality  of  the  models  in  HC1.  The  Basic  Theorem 
further  indicates  that  the  models  of  HC1  are  essentially  representa¬ 
tive  of  the  entire  family  of  models  which  preserve  integrity  of  the 
data  base  and  which  prevent  deadlock  and  permanent  blocking.  The 
theorem  indicates  also  that  other  significant  models  in  the  family 
are  to  be  found  by  investigation  of  the  conditions  which  make  the 
models  of  HC1  restricted  schedulers — to  wit,  investigation  of 
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alternatives  to  static  declaration  by  a  process  of  its  claim  lists. 
Modifications  to  the  strategies  of  HC1  or  alternate  strategies  not 
having  to  do  with  this  aspect  of  the  model  do  not  essentially  change 
the  model  but  may  affect  factors  such  as  efficiency. 

With  regard  to  future  work  in  this  field,  we  believe  that  it  will 
be  fruitful  to  pursue  the  theoretical  investigation  begun  in  this 
paper — this  belief  seems  justified  in  light  of  the- significant  result 
obtained  from  our  simple  use  of  basic  finite-state  machine  theory. 

An  obvious  extension  of  this  work  would  be  the  development  of  a  char¬ 
acterization  of  a  system  with  respect  to  permanent  blocking,  similar 
to  the  characterization  presented  herein  with  respect  to  deadlock. 
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SECTION  III 


DATA-SHARING  SCHEDULERS 

A  number  of  data-sharing  schemes  (see  (6,  4))  can  be  pictured 
as  involving  a  black  box  for  processing  requests  for  data.  Such  a 
black  box  will  typically  receive  as  inputs 

(1)  requests  for  access  to  a  datum  in  a  particular  mode  (for 
example,  write  or  read-only)  and 

(2)  notifications  that  a  particular  datum  has  been  returned  to 
the  data  base. 

The  data-sharing  scheme  provides  a  method  for  the  black  box  to  process 
a  request  or  a  notification.  The  first  capability  is  usually  to 
determine  whether  the  input  signal  is  "legal."  For  example,  if  a 
process  is  forbidden  by  the  scheme  to  request  datum  s  in  a  write 
mode,  a  request  from  P  for  write  access  to  datum  s  would  normally 
cause  the  system  to  label  the  request  an  error.  If  an  input  is 
acceptable,  it  is  processed.  An  acceptable  request  input  produces 
either  a  granting  response  or  a  denying  response.  An  acceptable 
datum-release  input  will  generally  cause  internal  bookkeeping;  some¬ 
times  a  release  of  a  datum  will  cause  the  system  to  grant  a  request 
that  had  been  denied  earlier.  For  our  purposes,  another  concept 
we  must  deal  with  is  the  idea  that  some  record  must  be  kept  of  the 
status  of  each  datum  and  of  each  process:  if  this  type  of  record  is 
not  kept,  an  actual  data-sharing  system  could  become  hopelessly  entangled. 
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The  discussion  in  the  preceding  paragraph  will  be  taken  as 
justification  for  the  definition  of  a  data-sharing  scheduler  below. 
The  material  which  follows  uses  the  definitions  found  in  the 
Appendix. 

Let  P  =  {P  ,  .  .  .  ,  P  }  and  S  =  {s_ ,  .  .  .  ,  s  }  be  finite 

sets.  An  element  of  P^  will  be  called  a  "process"  and  an  element  of 

will  be  called  a  "datum".  A  complete  sequential  machine 
M  =  (K,  £,  A,  X,  6)  is  a  data-sharing  scheduler  for  OP,  S_)  if 

(1)  E  D  A  U  R,  where 

(a)  A  is  a  set  whose  elements  are  called  "requests"  and 

(b)  R  =  (r(a) :  a  e  A}  is  a  set  whose  elements  are  called 
"releases" ; 

(2)  A  D  {i0,  error}  U  (G(a)  :  a  e  A}  U  (D(a)  :  a  e  A} ; 

(3)  there  is  a  unique  state  e  K  such  that  any  q  e  K  is 

of  the  form  q  =  fiCq^,  J)  for  some  tape  J;  and 

(4)  any  state  q  e  K  specifies  which  processes  have  been 
granted  access  to  which  data  and  which  processes  have  been 
denied  access  to  some  datum  and  have  not  yet  been  granted 
access  in  this  state — that  is,  every  state  q  records  the 
current  data  allocation. 

The  elements  of  A  are  to  be  understood  as  requests  for  access 
to  data.  We  shall  denote  by  "A^"  the  set  of  a11  requests  for 
datum  Sj  by  process  P^.  In  other  words,  A  is  the  disjoint 
union  of  all  the  sets  A^  where  1  <  i  <  n  and  1  <  j  <  m,  and 
any  element  of  A ^  will  be  understood  to  be  a  request  by  P^  for 
some  (unspecified)  kind  of  access  to  datum  s_. .  "a^"  will  be  used 
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to  denote  an  element  of  .  The  elements  of  R  are  to  be  under¬ 

stood  as  notifications  of  the  release  of  a  datum:  r(a^)  is  the 
notification  that  relinquishes  access  to  datum  s^  as  specified 

in  request  j • 

The  output  G(a^)  is  the  granting  of  request  a^  ;  D(a^)  is 
denying  it*"*"  The  output  error  indicates  an  inappropriate  input  was 
supplied:  for  example,  we  would  normally  expect  XCq^,  r(a^j))  e  error 

for  every  request  a-^j*  The  outPut  .0  is  a  go-ahead  signal  which 
is  used  when  an  input  r(a)  yields  neither  an  error  output  nor  a 
G(a^)  output. 

With  this  precise  definition  of  a  data-sharing  scheduler  in 
hand,  we  are  now  in  a  position  to  begin  a  rigorous  investigation  of 
the  major  problems  involved  in  data-sharing — blocking,  deadlock,  and 
integrity  of  the  data  base. 


The  specification  of  a  data-sharing  scheduler  does  not  take  into 
account  the  action  taken  by  the  system  when  a  request  is  denied. 
In  particular,  no  assumption  is  made  about  whether  a  process  is 
queued  following  a  denial  of  its  request. 
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SECTION  IV 


BLOCKING  AND  DELAYS 

One  of  the  problems  that  a  data-sharing  scheme  must  deal  with 
is  permanent  blocking.  Permanent  blocking  of  a  process  P  is  a 
situation  where  it  is  possible  for  P  to  be  "temporarily"  denied 
access  to  some  datum  repeatedly  for  an  indefinite  period  of  time. 
Permanent  blocking  in  a  resource-sharing  situation  is  discussed  by 
Holt,^  and  examples  of  permanent  blocking  in  a  data-sharing  situa¬ 
tion  are  given  in  Section  IV  of  HC1  (on  pages  32  and  35) .  One  solu¬ 
tion  to  the  problem  of  permanent  blocking  for  data  sharing  is  given 
in  the  second  and  third  models  of  HC1.  In  essence,  the  solutions 
strategy  is  to  close  the  system  to  entering  processes  when  it  first 
appears  that  some  process  P  may  be  permanently  blocked.  The  system 
then  becomes  internally  identical  to  a  system  where  no  processes 
can  enter.  If  each  process  terminates  in  a  finite  amount  of  time  and 
if  no  processes  can  enter  the  system,  then  permanent  blocking  cannot 
occur  by  Theorem  11  of  HC1.  Hence  the  strategy  used  in  HC1  guarantees 
that  if  a  process  P  is  given  special  attention  to  prevent  it  from 
becoming  permanently  blocked,  then  in  some  (unspecified)  finite 
amount  of  time  P  will  be  able  to  proceed.  The  remainder  of  this 
section  will  provide  both  rigorous  definitions  of  the  concepts  involved 
here  and  a  brief  analysis  of  their  interrelations. 
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Let  M=(K,  £,  A,  X,  6)  be  a  data-sharing  scheduler  for  CP,  S)  • 
For  q  e  K,  we  say  that  Is  waiting  for  access  to  at  q 

via  a^  (or  briefly,  "P^  is  waiting  for  s^  at  qM)  if  there  is 
a  state  qf  and  a  tape  J  such  that 

(1)  A(qf  ,  a^)  =  DCa^)  ; 

(2)  <5  ( q f  ,  a^J)  =  q;  and 

(3)  A(q'  ,  a^J)  does  not  contain  G(a_^). 

Heuristically ,  P^  is  waiting  for  s^  at  q  =  6(qf,  a^J)  if 

was  denied  access  to  s  at  q?  and  access  has  not  yet  been  granted 


The  intuitive  idea  of  permanent  blocking  is  that  a  process  P^ 
is  waiting  for  at  q  and  that  P_^  could  be  waiting  after  any 

number  of  inputs  (all  "legal"  in  the  sense  that  no  one  of  them 
elicits  an  error  output)  has  been  processed.  Our  definition  of  per¬ 
manent  blocking  will  rely  on  the  definitions  below  of  f,legal  tapes" 
and  of  "k-blocked," 

An  input  tape  J  will  be  called  legal  for  q  e  K  if 
error  i  A(q,  J) ,  We  say  that  is  k-blocked  at  q  via  a^  if 

P^  is  waiting  for  s_j  at  q  via  a^  and  there  is  an  input  tape 
J  of  length  k  which  is  legal  for  q  such  that  G(a^j)  ^A(q,  J)  . 
That  is,  P^  is  k-blocked  at  q  via  a^  if  it  is  possible  for 


k  "legal"  inputs  to  be  processed  without  granting  the  request  a 
Clearly  our  definition  of  permanently  blocked  must  imply  k-blocked 
for  every  k. 


i  y 
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We  say  that  Is  permanently  blocked  at  q  if  P^  is 

waiting  for  at  q  via  some  a^  and  P^  is  k-blocked  via 

a^  for  all  k  >  0.  An  equivalent  statement  of  permanent  blocking 
is  given  in  Theorem  1. 

Theorem  1;  P^  is  permanently  blocked  at  q  if  and  only  if  P^ 


Proof : 


is  waiting  for  s^  at  q  via  some  a^  and  there  is 
k  k 

a  sequence  {I  :  0  <  k  and  I  e  £}  such  that 


GCa^)  i  X (q ,  I1  ...  Im)  and  I1 


rm 


I  is  legal  for 

q  for  every  m  >  CL 

The  condition  is  sufficient.  To  show  P^  is  k-blocked 


at  q  via  a^ ,  it  suffices  to  consider  the  legal 


tape  I 


ik. 


Conversely,  suppose  P^  is  permanently  blocked  at  q 

via  a...  For  s  >  0,  let  A  denote  the  set  of  legal 
i  J  s 

tapes  J  of  length  s  such  that  G(a^)  ^  X(q>  J) • 

Since  P^  is  permanently  blocked  via  ,  each 

A  ^  <p  for  s  >  0.  Also,  if  s  >  1  and  J  =  J*IgA 
s  s 

where  I  e  Z ,  then  J*  is  a  legal  tape  of  length  s  -  ] 
such  that  G(a^)  ^  A(q,  J*)  :  A(q,  J*)  is  a  subset  of 
A(q,  J) .  Hence  every  element  J  of  A^  (s  >  1)  is  of 


the  form  J  =  J*I  where  J*  e  A  ,  and  I  e  Z< 

s-1 


Since 


E  is  finite,  A  is  finite  provided  A  is  finite. 

s+1  s 


Moreover,  A^  is  finite  as  a  subset  of  E.  Hence  every 

A  is  finite.  Define  F  :  A  **  P  (A  , , )  (the  "power 
s  s  s  s+1 
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set"  of  A  — that  is,  the  set  of  all  subsets  of  A 

s+1  s+1 

by  F  (J)  =  {JI:  JI  is  a  legal  tape  for  q  and 
s 

G(a±j)  i  Xq,  JI)). 

The  sets  {A  :  0  <  s}  and  { F  :  0  <  s}  have  the 

s  s 

property  that  for  any  k  >  0  there  is  a  sequence 

{j(k) 

1J  i  » 


,  such  that  e  A  for  0  <  s  <  k 

k  s  s 


and  Jg^  e  Fs(J(^)  for  0  <  s  <  k.  By  the  Konig 

Graph  Theorem, ^  this  property  implies  that  there  is  a 

sequence  {J  :  0  <  s}  such  that  J  e  A  and 

s  s  s 

J  , -  e  F  (J  )  for  all  s  >  0.  Set  J-  =  1^  and  write 

s+1  s  s  1 

s+1  k 

J  =  J  I  for  all  s  >  1.  The  sequence  {I  :  0  <  k} 

s+1  s 

of  inputs  establishes  that  the  second  condition  of  the 

theorem  is  necessary. 

An  interpretation  of  this  theorem  is  that  is  permanently 

blocked  at  q  if  it  is  possible  for  some  sequence  of  legal  inputs 
never  to  grant  access  to  an  s^  for  which  P^  is  waiting  at 

q.  That  is  to  say,  the  theorem  shows  that  the  rigorous  definition 
of  permanent  blocking  given  in  this  section  conforms  with  the  usual 
intuitive  notion  of  permanent  blocking. 

As  mentioned  before,  the  strategy  for  avoiding  permanent  blocking 
in  the  models  of  HC1  alters  the  rules  of  the  game  so  that  a  process 
P  in  danger  of  permanent  blockage  is  guaranteed  that  in  some  finite 
amount  of  time  its  denied  request  will  be  granted.  Moreover,  if  one 
knew  a  maximum  number  of  data  transactions  left  in  the  run  of  each 
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other  running  process,  one  could  calculate  the  maximum  length  of 
"time"  (measured  in  legal  data  transactions  -  a  request  or  release) 
that  P  would  have  to  wait  before  his  request  would  be  granted. 

This  concept  of  the  "maximum  wait  time"  has  some  interesting  relations 
with  the  various  concepts  of  blocking. 


4lj  if 


We  will  say  that  is  k-delayed  at  q  via 

(1)  P^  is  waiting  for  s^  at  q  via  a^  ; 

(2)  for  all  legal  tapes  J  of  length  k,  GCa^)  e  A(q,  J)  ;  and 

(3)  there  is  a  legal  tape  J*  of  length  k  -  1  such  that 
GCa^  )  i  A  (q  ,  J*)  , 

Thus,  P^  is  k-delayed  if  it  has  been  denied  access  to  some  s^  via 
some  a_^  and  if  it  is  possible  that  it  will  have  to  wait  for  k 
legal  inputs  to  be  processed  before  it  gains  access  but  not  possible 
that  it  will  have  to  wait  for  more  than  k  legal  inputs  to  be  pro¬ 
cessed.  An  immediate  result  is  the  following  theorem. 

Theorem  2:  If  P^  is  k-delayed  at  q  via  a^  for  k  >  1  and 
I  e  I  such  that  A(q,  I)  ^  error  or  GCa^)  ,  then 
P^  is  m-delayed  at  6  (q ,  I)  via  a^  for  some 
1  <  m  <  k. 

Proof :  P^  is  still  waiting  for  s^  at  6(q,  I)  via  a  „  . 

Moreover,  for  any  legal  input  tape  J  of  length  k  -  1, 
IJ  is  a  legal  tape  of  length  k  so  that 
G(a £  A(q ,  IJ)  =  A(6(q,  I),  J) .  Suppose  J*  is  the 
longest  legal  tape  such  that  G(a^)  ^  A  ( 6  (q ,  I),  J*)  . 
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Then  the  length  of  J*  =  n  <  k  -  1.  Hence  for  any  legal 
tape  J  of  length  m  =  n  +  1,  G(a^)  £  I)  ,  J) 

by  the  maximality  of  the  length  of  J*.  Furthermore, 

P^  is  in-delayed  at  6(q,  I)  via  a^_.  where 
m  =  n  +  1  <  k-1  <  k. 

The  precise  relation  between  permanent  blocking  and  k-delays  is 
shown  in  the  next  theorem. 

Theorem  3 :  is  permanently  blocked  at  q  via  a^_.  if  and  only 

if  P^  is  waiting  for  s^  at  q  via  a^  and  P^  is 
not  k-delayed  via  a^  for  any  k  >  0. 

Proof :  Suppose  P^  is  waiting  for  s_.  at  q  and  P^  is  not 

k-delayed  for  any  k  >  0.  Then  for  each  k  >  0,  either 
i)  there  is  a  legal  tape  J  of  length  k  such  that 
G(a^)  i  X (q ,  J)  ,  or 

ii)  for  all  legal  tapes  J*  of  length  k-1, 


G(a± j )  e  J*) 


Let  k 


Then  ii)  cannot  hold  since  it  must  be  true 


that  G(a^)  t  A(q,  40  •  Thus  i)  holds  for  k  =  1:  there 
is  a  legal  tape  J  of  length  1  such  that  Gta^)  ^  A(q,  J)  . 
Let  k  =  2.  Then  ii)  cannot  hold  since  we  have  just 
established  the  existence  of  a  tape  which  contradicts 
ii)  for  k  =  2.  Proceeding  inductively  we  find  that  for 
every  k  >  0  there  is  a  legal  tape  J  of  length  k 
such  that  G(aij)  A(q,  J) •  Therefore,  P^  is  k-blocked 
for  every  k  >  0  and  is  therefore  permanently  blocked. 
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Conversely,  assume  that  either  P^  is  not  waiting  for 
Sj  at  q  via  a^  or  P^  is  k-delayed  via  a^  for 
some  k  >  0,  If  P^  is  not  waiting  for  s^  at  q  via 
a^ ,  then  P^  is  clearly  not  permanently  blocked  at  q 


via  a 


ij 


If  P^  is  k-delayed  via  a^_.  for  some  k  >  0, 


then  for  every  legal  tape  J  of  length  k  G(a^j)  £  J) 

and  therefore  P_^  is  not  permanently  blocked  since  it 
is  not  k-blocked  for  this  particular  k. 

The  corollary  below  follows  directly  from  Theorem  3. 

Corollary :  If  P^  is  k-delayed  at  q  via  a^ ,  then  P^  is  not 
permanently  blocked  at  q  via  a^ . 

Our  last  result  involving  delays  and  blocking  is  Theorem  4  below. 


Theorem  4:  If  P_^  is  k-delayed  at  q  via  a^_.  for  some  k  >  1, 
then  P^  is  (k  -  1) -blocked  at  q  via  a_^  . 

Proof :  That  P^  is  k-delayed  implies  that  there  is  a  legal  tape 

J  of  length  k  -  1  such  that  GCaij)  ^  Kq>  J)  *  which 
by  definition  means  that  is  (k  -  1) -blocked. 
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SECTION  V 


THE  BASIC  THEOREM 


In  this  section  we  formally  introduce  the  concepts  of  deadlock 
and  of  integrity  of  the  data  base.  The  section  ends  with  the  Basic 
Theorem  which  relates  these  concepts  with  the  type  of  data-sharing 
scheduler  necessary  to  avoid  deadlock  and  to  preserve  the  integrity 
of  the  data  base. 

We  begin  by  making  explicit  the  concept  of  "current  access.1' 

For  a  state  q,  we  say  P^  has  access  to  s^  at  q  via  a^  if 
there  is  a  state  q1,  an  input  I,  and  a  tape  J  with  r(a^j) 
not  in  J  such  that 

(1)  X (q 1  ,  I)  -  G(-a  )  and 

(2)  6 (q '  ,  IJ)  =  q. 

Heuristically ,  has  access  to  at  q  if  P^  was  granted 

access  at  state  qJ  and  P^  has  not  relinquished  access  on  some 
path  from  6(qf,  I)  to  q.  Note  that  we  could  have  I  *  a^  or 
P^  might  have  made  the  request  a^  for  s^  at  some  predecessor 
state  of  q1  . 

We  are  naturally  concerned  with  the  interaction  of  processes 
operating  on  a  common  set  of  data.  If  S  =  {s- ,  . . . ,  s  }  is  a  finite 
set  of  elements  (intuitively,  the  data  of  the  data  base),  we  shall  be 
interested  in  the  nontrivial  or  critical  portion  of  j>.  We  will 
define  C  such  that  C  includes  only  those  elements  of  S_ 


18 


which  may  at  some  time  (that  is,  in  some  state)  be  considered  non- 
shareable;  _S  “  _C  then  includes  only  those  elements  which  may  always 
be  shared.  Set  _C  =  {s^  :  there  is  a  state  q(j)  e  K  and  an  integer 
i(j)  such  that 


(1)  Pi(j)  has  access  to  s^  at  q(j),  and 

(2)  A(q(J),  a^_. )  =  D(a_)  for  every  i  ^  i(j)  and  every 

aij  e  Aij}* 

We  must  next  define  deadlock  in  the  present  context.  Deadlock 

is  defined  here  in  precisely  the  expected  manner.  A  state  q  is  a 

deadlock  state  if  there  are  sets  {P.  ,  P  }  of  processes  and 

±1  K 

{s.  ,  ...,  s  }  of  data  such  that  each  P  has  access  to  s .  at 
J1  Jk  t  Jt 


q  and  each  P  is  waiting  for  s  . 

t  Jt+1 

defined  to  be  s  ). 

J  i 


at  q  (where  s 


is 


k+1 


Note  that  if  q  is  a  deadlock  state  then  each  P^  involved 
is  permanently  blocked  at  q.  On  the  other  hand,  if  P^  is  perman¬ 
ently  blocked  at  q  via  a^_.  ,  then  q  is  not  necessarily  a  dead¬ 
lock  state  (see  HC1,  page  35).  Thus,  a  data-sharing  scheduler  which 
does  not  allow  permanent  blocking  does  not  have  a  deadlock  state,  but 
a  scheduler  which  has  no  deadlock  state  may  still  allow  permanent 
blocking. 

The  object  of  this  section  is  to  characterize  "unrestricted" 
data-sharing  schedulers  which  do  not  have  deadlock  states.  A  con¬ 
jectural  characterization  might  be  that  data-sharing  schedulers  which 
have  no  prior  knowledge  of  the  running  processes’  needs  and  which  do 
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not  have  deadlock  states  either  do  not  share  the  data  base  or  they  do 
not  preserve  the  integrity  of  the  data  base,  in  the  sense  of  HC1. 


This  conjecture  is  in  fact  true,  if  the  concepts  involved  are  taken 
to  be  as  we  define  them  below. 

To  formalize  the  idea  of  "prior  knowledge,"  we  introduce  the 

2 

concept  of  an  unrestricted  data-sharing  scheduler.  A  data-sharing 
scheduler  M  is  unrestricted  if  for  every  state  q  and  every 


ij 


e  A,  A(q,  a^j)  =  error  implies  that  has  access  to  s^  at 


q  via  some  request  a~^  e  ^i j #  Loosely  speaking,  M  is  unrestricted 

if  no  request  by  a  process  P  is  illegal  except  (possibly)  a  request 

for  a  datum  to  which  P  already  has  access. 

3 

We  will  call  M  a  trivial  data-sharing  scheduler  if  one  or 
both  of  the  following  conditions  hold: 

and 

has  access  to 


(1)  for  every  state  q  and  every  pair  (P  ,  s,  ) 

11  J1 

(P.  ,  s.  )  of  x  where  i  ^  i?,  P 
i2  J2  1  Z  11 


s  at  q  implies  that  P  does  not  have  access  to  s. 

Jl 

at  q; 

4 


(2)  |C|4<1. 


2 

This  term  is  not  to  be  confused  with  the  term  "nonrestricted  sequential 
machine,"  (see,  for  example,  (2))  a  synonym  for  "complete  sequential 
machine." 


3 

Not  to  be  confused  with  a  trivial  finite-state  machine  (2) . 

4 1  , 

|X|  means  the  cardinality  of  X;  i.e.,  the  number  of  elements  of  X. 
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j 


M  is  nontrivial  if  it  is  not  trivial;  that  is,  M  is  nontrivial  if 

and  only  if  |  _cj  >  1  and  there  is  a  state  q,  processes  P  and 

il 

P  where  i  ^  i?,  and  data  s  and  s  ,  both  in  _C,  such 
12  1  1  J  2 

that  P  has  access  to  s  at  q  and  P.  has  access  to  s 

11  J1  12  ^  2 
at  q.  Intuitively,  a  data-sharing  scheduler  is  trivial  if  it  "shares" 

data  by  allowing  only  one  process  at  a  time  access  to  _C,  the  critical 

subset  of  the  data  set  S_. 

We  say  that  M  shares  a  datum  if  there  is  a  state  q,  processes 

P  and  P  ,  and  a  datum  s  €  C  such  that  P  and  P  have 
1  2  J  il  1 2 

access  to  s^  at  q.  This  formalization  relates  to  integrity  of  the 

data  base  in  the  following  way:  in  the  case  that  M  shares  a  datum  s 

and  8^  should  not  be  shared  (consider  two  .processes  simultaneously 

using  s^  in  write-mode  as  in  HC1) ,  then  integrity  of  the  data  base 

will,  in  general,  be  destroyed.  Thus,  "sharing  a  datum"  is  a  restricted 

converse  of  the  concept  of  integrity  of  the  data  base. 

We  are  now  ready  to  state  the  conjectural  characterization  given 

above  in  rigorous  terms  and  to  prove  its  validity. 

Basic  Theorem:  An  unrestricted,  nontrivial  data-sharing  scheduler  M 

has  a  deadlock  state  or  shares  a  datum. ^ 

Proof :  Suppose  M  does  not  share  a  datum.  Pick  a  state  q  such 

that  processes  P.  and  P  have  access  to  s.  and  s. 

11  i2  -’Z 

(respectively)  at  q,  where  s  and  s.  are  elements  of 

J1  J2 

_C:  such  a  choice  is  possible  since  M  is  nontrivial.  Fur¬ 
thermore,  f  j2  since  M  does  not  share  a  datum.  Let  J 

5Recall  that  a  data-sharing  scheduler  has  been  defined  to  be  a  complete 
sequential  machine. 
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> 


be  the  tape  a,  ,  •  a,  ,  .  Clearly  J  is  a  legal  tape,  and 

11^2  12‘^1 

A(q,  J)  =  D(a,  .  )  *  D(a  ,  )  since  M  does  not  share  a 

1l'^2  12^1 

datum.  Now  P  is  waiting  for  s  and  P  is  waiting 
11  J2  12 
for  s.  at  6(q,  J).  In  addition,  P  has  access  to  s, 
J1  1t  Jt 

at  6  (q ,  J)  ,  t  =  1 ,  2.  Thus,  6(q,  J)  is  a  deadlock  state 

and  the  theorem  is  proved. 

This  theorem  is  the  principal  result  of  this  paper.  Its  impli¬ 
cations  will  be  discussed  in  the  next  section. 


* 
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SECTION  VI 


IMPLICATIONS  OF  THE  THEOREM 

The  Basic  Theorem  shows  the  relation  between  deadlock  and  integrity 
of  the  data  base  in  an  unrestricted  nontrivial  scheduler:  either  dead¬ 
lock  or  simultaneous  access  for  some  s^  e  C^  must  be  allowed.  Hence, 
an  unrestricted,  nontrivial  scheduler  which  protects  the  integrity  of 
the  data  base  has  a  deadlock  state.  On  the  other  hand,  an  unrestricted, 
nontrivial,  deadlock-free  scheduler  cannot  guarantee  integrity  of  the 
data  base  unless  _C  =  <f>  (that  is,  unless  there  is  no  critical  set  of 
data) .  In  case  the  system  being  considered  uses  the  strategy  of  rep¬ 
lication  of  a  datum  s^  whenever  s^  must  be  shared,  we  consider 
this  to  be  a  case  of  "M  shares  a  datum.1'  In  practice,  such  a  strategy 
is  costly  and  causes  great  difficulty  (see,  for  example,  the  discussion 
by  Gray  )  . 

We  assume  for  the  remainder  of  this  section  that  we  are  dealing 
with  a  system  wherein  (J  (p . 

If  integrity  of  the  data  base  and  a  guarantee  against  deadlock 
are  necessary,  then  at  least  one  of  the  conditions  "unrestricted" 
and  "nontrivial"  must  be  weakened.  Weakening  "nontrivial"  leaves  a 
trivial  scheduler,  where  at  most  one  process  at  a  time  has  access  to 
the  entire  critical  set  of  data.  Weakening  "unrestricted"  means 
allowing  for  the  possibility  that  some  requests  (besides  those  for 
data  already  accessed)  are  forbidden.  In  a  practical  situation,  then, 
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a  user  of  a  shared  data  base  must  have  a  set  of  guidelines  to  tell  him 
what  data  he  can  attempt  to  access.  This  set  of  guidelines  could  vary 
dynamically  or  could  remain  static.  If  it  remains  static,  then 
obvious  alternatives  are  that  either  the  user  stated  his  own  limits 
when  he  began  his  run  (as  in  the  model  of  HC1) ,  or  the  system  defined 
his  limits  for  him,  perhaps  for  that  particular  run  only  or  because 
the  user  has  associated  with  him  some  access  set  which  is  invariant. 

If  the  guidelines  vary  dynamically  (i.e.,  during  a  run),  the  system 
could  decide  to  vary  them  on  its  own  initiative  or  the  user  could 
request  an  alteration  of  his  guidelines  using  a  new  set  of  request 
signals. ^ 

^The  models  of  HC1  do  allow  a  user  to  alter  his  guidelines,  but  only 
by  reducing  his  claim  lists.  Increasing  the  claim  list  is  presently 
a  nonexistent  option  in  those  models. 
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A  SUMMARY  OF  COMPLETE  SEQUENTIAL  MACHINES 
A  complete  sequential  machine ^  is  a  5-tuple  M  =  (K,  I,  A,  X,  6) 

where 

K  is  a  nonempty  finite  set  of  "states, M 
E  is  a  nonempty  finite  set  of  "inputs," 

A  is  a  nonempty  finite  set  of  "outputs," 

X  is  a  function  from  K  x  E  into  A,  and 

6  is  a  function  from  K  x  E  into  K. 

The  function  6  is  called  the  "next-state"  function  and  X  the  "output" 
function.  Elements  of  K  will  be  denoted  q  or  q^  and  elements  of  E 
will  be  denoted  I  or  1^ .  The  machine  is  called  "complete"  because 
both  X  and  6  are  defined  for  every  pair  (q,  I)  in  K  x  E, 

A  complete  sequential  machine  M  can  be  thought  of  as  a 
processor:  when  in  a  given  state  q,  an  input  I  causes  M  to  change 

its  state  to  the  state  specified  by  the  next-state  function  (that 
is,  to  6(q,  I))  and  to  emit  the  output  X(q,  I).  From  the  next 
state  6(q,  I),  another  input  will  cause  a  similar  action  by  the 
machine  M. 

A  tape  of  length  k,  where  k  0,  is  a  (possibly  empty)  sequence 
1  k 

of  inputs  I  ,  .  .  .  ,  I  .  We  extend  the  definitions  of  X  and  6  so 

^The  material  in  this  section  is  found  in  (2,  3).  A  similar  concept 
of  machine  is  presented  in  HC1  to  model  a  process. 
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1  k 

that  if  M  is  in  state  q,  <5(q,  I  ...  I  )  is  the  state  of  M 

1  k 

the  sequence  of  inputs  I  ,  .  .  .  ,  I  has  been  processed  by 
1  k 

X(q,  I  ...  I  )  is  the  sequence  of  outputs  produced  when  ] 

lk  1 

processed  the  tape  I  .  .  .  I  .  For  example,  if  X(q,  I  )  = 

X (6 (q,  I1),  I2)  =  3,  then  6(q,  I1!2)  =  6(6(q,  I1),  I2)  and 
1  2 

X(q,  I  I  )  is  the  sequence  1,  3. 


after 
M  and 
has 
1  and 
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